CVE-2023-39325

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-39325
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-10-11 22:15:00 UTC
Updated2024-03-10 04:15:00 UTC
DescriptionA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 37 All All All
Operating System Fedoraproject Fedora 38 All All All
Operating System Fedoraproject Fedora 39 All All All
Application Golang Go All All All All
Application Golang Http2 All All All All
Application Netapp Astra Trident - All All All
Application Netapp Astra Trident Autosupport - All All All

References

ReferenceSourceLinkTags
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security security.gentoo.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
go.dev/cl/534215 MISC go.dev
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
[security] Go 1.21.3 and Go 1.20.10 are released MISC groups.google.com
net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) · Issue #63417 · golang/go · GitHub MISC go.dev
GO-2023-2102 - Go Packages MISC pkg.go.dev
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
CVE-2023-39325 Golang Vulnerability in NetApp Products | NetApp Product Security security.netapp.com
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
[SECURITY] Fedora 38 Update: golang-1.20.10-2.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org Mailing List, Third Party Advisory
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
[SECURITY] Fedora 39 Update: golang-1.21.3-1.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
[SECURITY] Fedora 37 Update: golang-1.20.10-3.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
go.dev/cl/534235 MISC go.dev
lists.fedoraproject.org/archives/list/[email protected]/messag... lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160996 Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-5721)
  • 160998 Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-5738)
  • 161009 Oracle Enterprise Linux Security Update for grafana (ELSA-2023-5867)
  • 161011 Oracle Enterprise Linux Security Update for grafana (ELSA-2023-5863)
  • 161216 Oracle Enterprise Linux Security Update for conmon (ELSA-2023-13029)
  • 161217 Oracle Enterprise Linux Security Update for conmon (ELSA-2023-13028)
  • 161254 Oracle Enterprise Linux Security Update for conmon (ELSA-2023-13053)
  • 161255 Oracle Enterprise Linux Security Update for conmon (ELSA-2023-13054)
  • 200040 Ubuntu Security Notification for Go Vulnerabilities (USN-6574-1)
  • 242173 Red Hat Update for go-toolset:rhel8 (RHSA-2023:5721)
  • 242176 Red Hat Update for go-toolset and golang (RHSA-2023:5738)
  • 242192 Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:5675)
  • 242193 Red Hat Update for rhc-worker-script enhancement and (RHSA-2023:5835)
  • 242198 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:5679)
  • 242208 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:5717)
  • 242212 Red Hat Update for grafana (RHSA-2023:5866)
  • 242214 Red Hat Update for grafana (RHSA-2023:5864)
  • 242219 Red Hat Update for grafana (RHSA-2023:5863)
  • 242228 Red Hat Update for OpenStack Platform 17.1.1 (RHSA-2023:5969)
  • 242229 Red Hat Update for Satellite 6.11.5.6 (RHSA-2023:5980)
  • 242230 Red Hat Update for Satellite 6.12.5.2 (RHSA-2023:5979)
  • 242241 Red Hat Update for toolbox (RHSA-2023:6057)
  • 242244 Red Hat Update for toolbox (RHSA-2023:6077)
  • 242347 Red Hat Update for Satellite 6.14 (RHSA-2023:6818)
  • 242357 Red Hat Update for OpenStack Platform 17.1.1 (RHSA-2023:5970)
  • 242362 Red Hat Update for grafana (RHSA-2023:5867)
  • 242363 Red Hat Update for Satellite 6.13.5 (RHSA-2023:5931)
  • 242365 Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5964)
  • 242374 Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:5009)
  • 242378 Red Hat Update for OpenStack Platform 16.1.9 (RHSA-2023:5967)
  • 242381 Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5965)
  • 242401 Red Hat Update for grafana (RHSA-2023:5865)
  • 242464 Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:6840)
  • 242465 Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:6839)
  • 242989 Red Hat OpenShift Container Platform 4.15 Security Update (RHSA-2023:7201)
  • 242990 Red Hat OpenShift Container Platform 4.15 Security Update (RHSA-2023:7200)
  • 284688 Fedora Security Update for golang (FEDORA-2023-fe53e13b5b)
  • 284689 Fedora Security Update for golang (FEDORA-2023-4bf641255e)
  • 284741 Fedora Security Update for pack (FEDORA-2023-5029b92850)
  • 284742 Fedora Security Update for pack (FEDORA-2023-257f33c602)
  • 284743 Fedora Security Update for syncthing (FEDORA-2023-fa2d7b25d9)
  • 284744 Fedora Security Update for syncthing (FEDORA-2023-d58c8eeb7c)
  • 284753 Fedora Security Update for podman (FEDORA-2023-e359fd31d2)
  • 284754 Fedora Security Update for podman (FEDORA-2023-a5a5542890)
  • 284755 Fedora Security Update for prometheus (FEDORA-2023-b43faebc9f)
  • 284756 Fedora Security Update for prometheus (FEDORA-2023-b60ff8c9ec)
  • 284776 Fedora Security Update for golang (FEDORA-2023-66966ae3d0)
  • 284783 Fedora Security Update for golang (FEDORA-2023-c858d2c53b)
  • 284784 Fedora Security Update for golang (FEDORA-2023-548163deb1)
  • 284798 Fedora Security Update for gmailctl (FEDORA-2023-6f4c5b6331)
  • 284861 Fedora Security Update for golang (FEDORA-2024-fd3545a844)
  • 284862 Fedora Security Update for golang (FEDORA-2024-ae653fb07b)
  • 284863 Fedora Security Update for golang (FEDORA-2024-0ac454dafc)
  • 284868 Fedora Security Update for golang (FEDORA-2024-f99ecead66)
  • 284901 Fedora Security Update for golang (FEDORA-2024-f99ecead66)
  • 285047 Fedora Security Update for golang (FEDORA-2024-07c811c7a5)
  • 285052 Fedora Security Update for golang (FEDORA-2024-b85b97c0e9)
  • 285053 Fedora Security Update for golang (FEDORA-2024-fb32950d11)
  • 285054 Fedora Security Update for golang (FEDORA-2024-5d8e87ec66)
  • 285121 Fedora Security Update for gmailctl (FEDORA-2023-e3e4e3f51a)
  • 285131 Fedora Security Update for golang (FEDORA-2023-fa2ec3d3e0)
  • 285137 Fedora Security Update for golang (FEDORA-2023-3a895ff65c)
  • 285148 Fedora Security Update for podman (FEDORA-2023-327346caa5)
  • 285149 Fedora Security Update for prometheus (FEDORA-2023-b75ee820ce)
  • 285152 Fedora Security Update for syncthing (FEDORA-2023-0d46257314)
  • 285182 Fedora Security Update for golang (FEDORA-2023-822aab0a5a)
  • 285323 Fedora Security Update for golang (FEDORA-2024-0d4d9925a2)
  • 285324 Fedora Security Update for golang (FEDORA-2024-c3e32c5635)
  • 285337 Fedora Security Update for exercism (FEDORA-2024-cafa04a149)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 356411 Amazon Linux Security Advisory for golang : ALAS2-2023-2313
  • 356455 Amazon Linux Security Advisory for golang : ALAS-2023-1871
  • 356480 Amazon Linux Security Advisory for runc : ALAS2DOCKER-2023-033
  • 356484 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-032
  • 356513 Amazon Linux Security Advisory for golang : ALAS2023-2023-394
  • 356514 Amazon Linux Security Advisory for containerd : ALAS2023-2023-395
  • 356531 Amazon Linux Security Advisory for docker : ALAS2023-2023-397
  • 356532 Amazon Linux Security Advisory for runc : ALAS2023-2023-396
  • 356558 Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-017
  • 356559 Amazon Linux Security Advisory for runc : ALAS2ECS-2023-018
  • 356564 Amazon Linux Security Advisory for amazon-ecr-credential-helper : ALAS2DOCKER-2023-034
  • 356574 Amazon Linux Security Advisory for docker : ALAS2ECS-2023-019
  • 356580 Amazon Linux Security Advisory for docker : ALAS2DOCKER-2023-031
  • 356589 Amazon Linux Security Advisory for runc : ALAS2NITRO-ENCLAVES-2023-032
  • 356591 Amazon Linux Security Advisory for docker : ALAS2NITRO-ENCLAVES-2023-030
  • 356593 Amazon Linux Security Advisory for cni-plugins : ALAS2-2023-2325
  • 356594 Amazon Linux Security Advisory for golist : ALAS2-2023-2326
  • 356601 Amazon Linux Security Advisory for amazon-ecr-credential-helper : ALAS2NITRO-ENCLAVES-2023-033
  • 356603 Amazon Linux Security Advisory for cri-tools : ALAS2-2023-2324
  • 356604 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-031
  • 356614 Amazon Linux Security Advisory for oci-add-hooks : ALAS2023-2023-418
  • 356625 Amazon Linux Security Advisory for cni-plugins : ALAS2023-2023-419
  • 356737 Amazon Linux Security Advisory for nerdctl : ALAS2-2023-2339
  • 356747 Amazon Linux Security Advisory for containerd : ALAS-2023-1888
  • 356878 Amazon Linux Security Advisory for ecs-init : ALAS2ECS-2023-020
  • 356897 Amazon Linux Security Advisory for ecs-init : ALAS2023-2023-434
  • 356912 Amazon Linux Security Advisory for ecs-init : ALAS2023-2023-435
  • 357008 Amazon Linux Security Advisory for amazon-cloudwatch-agent : ALAS2-2024-2424
  • 357038 Amazon Linux Security Advisory for amazon-cloudwatch-agent : ALAS2023-2024-498
  • 357040 Amazon Linux Security Advisory for containerd : ALAS2023-2024-499
  • 357082 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2024-037
  • 357098 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2024-037
  • 357256 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2024-038
  • 357257 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2024-038
  • 357323 Amazon Linux Security Advisory for containerd : ALAS2ECS-2024-035
  • 378964 Alibaba Cloud Linux Security Update for grafana (ALINUX3-SA-2023:0131)
  • 379545 Splunk Enterprise Third Party Package Updates for March 2024 (SVD-2024-0303)
  • 379646 Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2024:0033)
  • 503386 Alpine Linux Security Update for go
  • 506088 Alpine Linux Security Update for go
  • 6140372 AWS Bottlerocket Security Update for HTTP/2 (GHSA-48vh-q3rp-4grw)
  • 673519 EulerOS Security Update for golang (EulerOS-SA-2023-3270)
  • 673612 EulerOS Security Update for golang (EulerOS-SA-2024-1082)
  • 673963 EulerOS Security Update for golang (EulerOS-SA-2024-1269)
  • 673979 EulerOS Security Update for golang (EulerOS-SA-2023-3299)
  • 673981 EulerOS Security Update for golang (EulerOS-SA-2024-1058)
  • 673988 EulerOS Security Update for golang (EulerOS-SA-2023-3331)
  • 674107 EulerOS Security Update for golang (EulerOS-SA-2023-3242)
  • 691327 Free Berkeley Software Distribution (FreeBSD) Security Update for traefik (7a1b2624-6a89-11ee-af06-5404a68ad561)
  • 710791 Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)
  • 755088 SUSE Enterprise Linux Security Update for go1.21 (SUSE-SU-2023:4069-1)
  • 755089 SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:4068-1)
  • 755272 SUSE Enterprise Linux Security Update for go1.20-openssl (SUSE-SU-2023:4472-1)
  • 755275 SUSE Enterprise Linux Security Update for go1.21-openssl (SUSE-SU-2023:4469-1)
  • 770208 Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:5675)
  • 770209 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:5679)
  • 770210 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:5717)
  • 770213 Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:5009)
  • 770214 Red Hat OpenShift Container Platform 4.14 Security Update (RHSA-2023:6840)
  • 770234 Red Hat OpenShift Container Platform 4.15 Security Update (RHSA-2023:7201)
  • 907488 Common Base Linux Mariner (CBL-Mariner) Security Update for cert-manager (31639-1)
  • 907491 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31310-1)
  • 907493 Common Base Linux Mariner (CBL-Mariner) Security Update for opa (31648-1)
  • 907494 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (31646-1)
  • 907495 Common Base Linux Mariner (CBL-Mariner) Security Update for skopeo (31660-1)
  • 907497 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd-cc (31647-1)
  • 907501 Common Base Linux Mariner (CBL-Mariner) Security Update for coredns (31691-1)
  • 907504 Common Base Linux Mariner (CBL-Mariner) Security Update for etcd (31692-1)
  • 907505 Common Base Linux Mariner (CBL-Mariner) Security Update for cri-tools (31609-1)
  • 907507 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-compose (31645-1)
  • 907514 Common Base Linux Mariner (CBL-Mariner) Security Update for telegraf (31616-1)
  • 907516 Common Base Linux Mariner (CBL-Mariner) Security Update for vitess (31655-1)
  • 907604 Common Base Linux Mariner (CBL-Mariner) Security Update for multus (31859-1)
  • 907606 Common Base Linux Mariner (CBL-Mariner) Security Update for blobfuse2 (31608-1)
  • 907619 Common Base Linux Mariner (CBL-Mariner) Security Update for kured (31857-1)
  • 907823 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31310-2)
  • 907875 Common Base Linux Mariner (CBL-Mariner) Security Update for coredns (31691-2)
  • 907877 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd-cc (31647-2)
  • 907908 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-compose (31645-2)
  • 907920 Common Base Linux Mariner (CBL-Mariner) Security Update for vitess (31655-2)
  • 907921 Common Base Linux Mariner (CBL-Mariner) Security Update for packer (33330-1)
  • 941296 AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:5721)
  • 941298 AlmaLinux Security Update for go-toolset and golang (ALSA-2023:5738)
  • 941308 AlmaLinux Security Update for grafana (ALSA-2023:5863)
  • 941310 AlmaLinux Security Update for grafana (ALSA-2023:5867)
  • 941329 AlmaLinux Security Update for toolbox (ALSA-2023:6077)
  • 961056 Rocky Linux Security Update for grafana (RLSA-2023:5863)
  • 961058 Rocky Linux Security Update for go-toolset and golang (RLSA-2023:5738)
  • 961063 Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2023:5721)
  • 961065 Rocky Linux Security Update for Satellite (RLSA-2023:6818)
  • 961071 Rocky Linux Security Update for toolbox (RLSA-2023:6077)
  • 995566 GO (Go) Security Update for golang.org/x/net (GHSA-4374-p667-p6c8)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report